Which platform will save you from the nasties?

Page Tools

Last week in these pages, Next carried a story that is
receiving an increasing amount of media attention: which is more
secure - Windows or Linux?

A snide answer is OpenBSD, which has an exemplary record with
respect to security. But let's stick to the two most broadly used
platforms in IT today.

Microsoft's hired analysts claim that Windows is more secure
than Linux. Should we believe them?

First, let's deal with the fact that the numbers presented cover
only one aspect of security, namely vendor advisories for
vulnerabilities.

Think of vulnerabilities as coding flaws in software, which
allow crackers to hook into and abuse your computer.
Vulnerabilities are important but aren't the most common problem.
Most security scares are caused by viruses and related malware,
which often don't rely on code vulnerabilities to do their dirty
work. Instead, they use poor system and application design inherent
in the platforms they propagate on.

Therefore, unless the vendor redesigns such software, rather
than merely patching it, there can be no real improvement in
security.

Such design flaws and a lack of software diversity are a key
reason why there are tens of thousands of viruses and related
malware for Windows, resulting in billions of dollars in business
damage to consumers.

This insecurity seems to have been in Windows since day one.
It's also been in many of Microsoft's applications, such as Office
and Outlook; think auto-executing macros received via email, to
understand what we mean. Think Melissa. Think ILOVEYOU.

By contrast, Linux rarely suffers from such security
problems.

A common misconception is that a popular platform such as
Windows attracts more than its fair share of malware and security
exploitations. Let's show that this premise is wrong once and for
all by way of a counter-example: the open-source Apache web server
has more than triple the market share of Microsoft's IIS yet has
had far fewer problems with security vulnerabilities and associated
malware over the years.

Open source is not a guarantee of better security, however. In
terms of vulnerability reduction or resolution mechanisms by and of
itself, the open-source development process doesn't have any
theoretical advantages over well-supported closed-source platforms
from responsive vendors.

Historically, many such vendors have been less than responsive.
Linux is now forcing them to improve. Here's how.

Microsoft obtained its reputation for poor security partly by
being tardy in responding to critical and remotely exploitable
vulnerabilities. It improved its responsiveness in recent times
because it had to. Competition from Linux is so fierce that
Microsoft improved its security to be able to play on the same
arena.

If Microsoft can't be as fast at getting patches out as a bunch
of Linux volunteers, how would that look to customers paying for
software assurance?

There is another security advantage that Linux (along with all
Unix-like systems) have: one system component is cleanly decoupled
from other components. Breaking one module generally doesn't result
in a system-wide failure or require re-installing the system.

This has dramatic repercussions in terms of the psychology of
security-patch application.

Many Windows system administrators defer installing Microsoft
patches because of problems they've had in the past that have
caused widespread system failure in production environments. These
lead to even further degradation in security.

Let's finally look at the numbers. We find that Linux vendors
generate more vulnerability fixes than Microsoft. These raw numbers
do not compare like with like, however. This is because the average
Linux distribution packs around 20 to 100 times more applications
than Microsoft does in Windows.

Even if you add all of Microsoft's applications together, their
number is dwarfed by what Linux vendors ship. Without taking such a
function size disparity into account, contrasting raw vulnerability
numbers is a disingenuous tactic indeed.

Moving beyond marketing statistics, what can average users do to
improve their computer security?

First, run a firewall; switch off non-essential services; do not
use applications with long and recent track-records of security
flaws (e.g. Internet Explorer); do not use applications that may
possibly execute content (e.g. Outlook or Microsoft Office, unless
you are certain this feature is switched off and will remain so);
use alternatives to common viewers.

If possible, have two computers, either physical, or virtual. If
you use Windows for most of your work, continue to do so, but do
your mail reading, web-surfing and internet activities on another
operating system, one which has a lower-risk profile.